X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/dccb279c84a3f523f1c07ffc4ee4e2b526fd5384..refs/pull/1998/head:/app/Http/Controllers/UserApiTokenController.php diff --git a/app/Http/Controllers/UserApiTokenController.php b/app/Http/Controllers/UserApiTokenController.php index 3bfb0175e..55675233c 100644 --- a/app/Http/Controllers/UserApiTokenController.php +++ b/app/Http/Controllers/UserApiTokenController.php @@ -17,7 +17,7 @@ class UserApiTokenController extends Controller { // Ensure user is has access-api permission and is the current user or has permission to manage the current user. $this->checkPermission('access-api'); - $this->checkPermissionOrCurrentUser('manage-users', $userId); + $this->checkPermissionOrCurrentUser('users-manage', $userId); $user = User::query()->findOrFail($userId); return view('users.api-tokens.create', [ @@ -31,7 +31,7 @@ class UserApiTokenController extends Controller public function store(Request $request, int $userId) { $this->checkPermission('access-api'); - $this->checkPermissionOrCurrentUser('manage-users', $userId); + $this->checkPermissionOrCurrentUser('users-manage', $userId); $this->validate($request, [ 'name' => 'required|max:250', @@ -40,23 +40,23 @@ class UserApiTokenController extends Controller $user = User::query()->findOrFail($userId); $secret = Str::random(32); - $expiry = $request->get('expires_at', (Carbon::now()->addYears(100))->format('Y-m-d')); $token = (new ApiToken())->forceFill([ 'name' => $request->get('name'), - 'client_id' => Str::random(32), - 'client_secret' => Hash::make($secret), + 'token_id' => Str::random(32), + 'secret' => Hash::make($secret), 'user_id' => $user->id, - 'expires_at' => $expiry + 'expires_at' => $request->get('expires_at') ?: ApiToken::defaultExpiry(), ]); - while (ApiToken::query()->where('client_id', '=', $token->client_id)->exists()) { - $token->client_id = Str::random(32); + while (ApiToken::query()->where('token_id', '=', $token->token_id)->exists()) { + $token->token_id = Str::random(32); } $token->save(); - // TODO - Notification and activity? + session()->flash('api-token-secret:' . $token->id, $secret); + $this->showSuccessNotification(trans('settings.user_api_token_create_success')); return redirect($user->getEditUrl('/api-tokens/' . $token->id)); } @@ -87,9 +87,12 @@ class UserApiTokenController extends Controller ]); [$user, $token] = $this->checkPermissionAndFetchUserToken($userId, $tokenId); + $token->fill([ + 'name' => $request->get('name'), + 'expires_at' => $request->get('expires_at') ?: ApiToken::defaultExpiry(), + ])->save(); - $token->fill($request->all())->save(); - // TODO - Notification and activity? + $this->showSuccessNotification(trans('settings.user_api_token_update_success')); return redirect($user->getEditUrl('/api-tokens/' . $token->id)); } @@ -113,7 +116,7 @@ class UserApiTokenController extends Controller [$user, $token] = $this->checkPermissionAndFetchUserToken($userId, $tokenId); $token->delete(); - // TODO - Notification and activity?, Might have text in translations already (user_api_token_delete_success) + $this->showSuccessNotification(trans('settings.user_api_token_delete_success')); return redirect($user->getEditUrl('#api_tokens')); } @@ -124,8 +127,9 @@ class UserApiTokenController extends Controller */ protected function checkPermissionAndFetchUserToken(int $userId, int $tokenId): array { - $this->checkPermission('access-api'); - $this->checkPermissionOrCurrentUser('manage-users', $userId); + $this->checkPermissionOr('users-manage', function () use ($userId) { + return $userId === user()->id && userCan('access-api'); + }); $user = User::query()->findOrFail($userId); $token = ApiToken::query()->where('user_id', '=', $user->id)->where('id', '=', $tokenId)->firstOrFail();